Fact-Checking the Opening Salvo from the Opponents of Prop 24

[Update 7/24/20: the opponent responded via Twitter, I fact-checked the response in this blog post.]

[Update 8/4/20: Washington Post reports that one of the world's largest data broker, Acxiom, opposes Prop 24, yet #NoOnProp24 opponents still claim that "Big businesses have not objected to the ballot initiative." The head of the opposition also told the WaPo that they will be soliciting money from Big Tech companies to fight Prop 24.] 

I am going to use this blog post to fact check the first published article that argued in opposition to California Proposition 24. Prop 24 is the California Privacy Rights Act of 2020 (CPRA) that is on the ballot this November. CPRA represents the “Version 2.0” of current California privacy law that is known as the California Consumer Privacy Act (CCPA) which passed in 2018 and went into effect in 2020.  Let me first give the executive summary and then if you want you can read the nitty-gritty details.

Executive Summary

The first published article expressing various arguments in opposition to Prop 24 was from an organization called Media Alliance (MA), one of the opponents of Prop 24.  They published it here on July 6, 2020 with the title “No on Prop 24.” The article states that “sometimes the CPRA is very, very good and sometimes the CPRA is very, very bad.  And when it is bad, it is horrible.”  And then it gives 5 specific examples of it being “horrible.” 

In doing an analysis of each of the 5 arguments and comparing them to what was written in the CPRA, I found all their arguments to be either false and/or misleading. For example, their lead argument why the CPRA is “horrible” is regarding the Privacy Protection Agency (CalPPA), and basically they get almost everything wrong about it (e.g. they misstate by half the annual budget of the CalPPA, how the transition from California AG to the CalPPA would occur, if the budget could be increased, etc.).  I believe this article would "horribly" misinform a voter.

Background on Why I am Writing this Blog Post

As readers of my blog will know, over the last 9+ months I have been doing some deep dives into privacy laws.  And as some readers may know, I also have 15+ years of professional experience involving cybersecurity and privacy, including previously founding and being CEO of a $100+m company that employed over 500 people focused on these topics.  Customers of my last company used our solutions to improve their internal security and meet compliance requirements from regulations such as GDPR, HIPAA, etc. as well as meet industry standards such as PCI-DSS.  Plus, my company itself had to be GDPR compliant, as we had a multi-tenanted cloud that operated in data centers in Europe and the US.  So, cybersecurity and privacy are not conceptual to me.

When I started writing about privacy laws, I knew of GDPR and CCPA, and only really started deeply digging into the CPRA earlier this year.  After careful study, I became impressed with it.  So after the CPRA has made the ballot, I blogged that I support it (but not in any affiliated capacity, i.e. I support it like I support the Golden State Warriors). 

So why I am writing this blog post?  In researching and writing my last blog post on the California Privacy Protection Agency (CalPPA) — one of the major features being proposed by the California Privacy Rights Act of 2020 (CPRA) — I stumbled upon this “No on Prop 24” article, and I was like whoa, how could they get everything so wrong on the CalPPA?  It made me think that if this is the first “No” article out there, did the article get their other arguments totally wrong too?  So, I decided to roll up my sleeves and fact check the rest of it.

Nitty-Gritty Details

MA’s 5 main “CPRA is horrible” arguments are:  #1 CalPPA is badly set up and has a paltry budget; #2 CPRA expands something the called “system integrity” that opens up loopholes to businesses to mess with consumers ability to opt-out;  #3 CPRA has increased what they refer to as “pay for privacy”; #4  the CPRA downgrades business obligations; and #5 the CPRA does not reflect CCPA being in action.  I will go through each, although note I will leverage the text of my last blog post for comments on #1.  Suffice to say they got a lot of stuff “horribly” wrong.  But here goes:

Argument #1:  Dumping on the CalPPA

Here is #1

Let’s go through this line by line.

“CPRA removes enforcement of data privacy laws from the CA DOJ and moves it to a new state privacy commission that will be newly created.”

Yes, that is correct, although the CPRA calls it the Privacy Protection “Agency” vs. “Commission” but that’s fine. 

“Then CPRA gives this brand new agency that will have to get started from zero, …”

This bit about “start[ed] from zero” is false. Section 1798.199.95 of the CPRA clearly states “The Attorney General shall provide staff support to the Agency until such time as the Agency has hired its own staff” and “the Attorney General shall be reimbursed by the Agency for these services.”So clearly work “shall” be done while the Agency staffs up, it will just be done by DOJ people, but no one externally will see the difference.  So, it is not starting from zero, the law clearly says that the DOJ must ensure that is not the case.  But also, given that per the DOJ CCPA budget, the Cal AG just got done hiring all these net new people to do CCPA regulation and enforcement, and why would most of them not simply transfer over to do the same job with the Agency?

“… a paltry budget of $5 million dollars a year …”

Let’s parse this into two.  Regarding the $5 million number:  this is false.  As I discussed in the CalPPA blog post, it has an annual budget of $10 million. If you read Section 1798.199.95 of the CPRA, the $5 million reference in the CPRA is for the first Fiscal Year of its existence, and because the Agency is formed halfway through the State Fiscal Year (which ends June 30) it only gets half its annual amount in that shortened time frame.  i.e. if I get paid $100k a year, and I start my new job on July 1, that does not mean my annual salary is $50k.  In fact, given the Agency will be formed in January 2021, even from a calendar 2021 perspective (vs Fiscal Year), the first full year of existence the Agency will have $10 million to spend.  Note in the CPRA the $10 million number was mentioned in the same sentence as the $5 million, so not sure why the author stopped reading after seeing the $5 million number, but whatever ...

Now let’s talk “paltry,” we will call this one contradictory.  If one were to think $5 million is paltry, and you were now told the actual number is $10 million, you still may not be jumping up and down because you wanted more, but you would probably not use the word “paltry” as you now have 2X what one considered paltry. 

But let’s compare the actual $10 million number to what California has done in the past.  Currently the spend by the Cal AG for privacy enforcement is $4.5 million, so CPRA is over 2x that.  By opposing CPRA, MA for now wants to maintain the current CCPA law which spends less (i.e. even less than what they consider paltry).  And with the California Office of Privacy Protection (COPP), which had a budget of $500k in 2011 before it was closed by Jerry Brown to cut the budget, the group Consumer Federation of California (CFC) — that MA is aligned with on this matter — praised the impact of that $500k, saying “California’s modest investment in privacy protection produces a much bigger positive contribution to our state’s bottom line” and “the services of the Office of Privacy Protection more than pay for themselves in the form of greater state tax revenues and reduced state and local government agency costs.”  So, if a consumer group like CFC thought the COPP got great bang for the buck for $500k, then why not think that for a comparable agency that spends 20x more? 

And if you look at the press release that announced MA’s and other group’s opposition, it references the PPA funding as “$100 million of taxpayers money” over a decade, clearly putting the thumb on the scale (vs. just saying $10 million per year) and implying that $10 million is one high number.  But here’s the thing, if $5 million (actually $10 million) is paltry, but $10 million is clearly implied to be way too high and an afront to taxpayers, at this point the opposition appears to me to be randomly throwing mud.

“ … with no additional funding guaranteed beyond what the agency can raise by penalizing companies for breaking the law.”

This too is false, in that the CPRA has guaranteed cost of living increases.  While not guaranteed, the legislature can also vote to give more money to the PPA. i.e. the $10 million is a floor.

“This incentivizes tackling easy cases and smaller companies that can’t afford top-flight legal defenses and pretty much assures the enforcement agency will be outgunned by big tech and multinational corporations.”

Well, actually this does not match what the California AG states as its priorities in its budget (see my CalPPA blog), which is to go after firms that have top-flight legal defenses which implies large tech companies, and assumes it will have 2-3 big whale court cases per year.  And given the CPRA with the PPA has over 2x the funding of current AG Privacy Unit, unless the PPA board (which has not been chosen) decides to do a U-turn on the current strategy, the PPA could pursue 5-8 high profile cases.  So, I am going to call this statement pure speculation, as no one knows what the litigation strategy will be in three years in terms of targeting small vs. larger firms.

In summary, in doing a simple fact check of what the opposition to Proposition 24 has said specific to one of the biggest new features of the CPRA — the proposal for an independent Privacy Protection Agency — it is quite evident that their claims about the PPA do not gibe with a cursory reading of the proposed law.  So, let’s put this one as false.   Let’s move onto #2.

Argument #2:  something about a “system integrity” loophole

First, this argument says something is explicitly referred to as “system integrity” but if you search the text of the CPRA, that phrase does not come up, so I guess they are confused or making up a name or didn’t read the law.  Maybe they are trying to refer to a new definition in the CPRA in Section 1798.140 (ac), but it iscalled “security and integrity.”  The definition of “security and integrity” is quite specific:

“Security and Integrity” means the ability: (1) of a network or an information system to detect security incidents that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted personal information; (2) to detect security incidents, resist malicious, deceptive, fraudulent, or illegal actions, and to help prosecute those responsible for such actions; and (3) a business to ensure the physical safety of natural persons.

And this concept amends this sentence from the CCPA

“Detectsecurityincidents,protectagainstmalicious,deceptive,fraudulent,orillegalactivity;orprosecutethoseresponsibleforthatactivity.”

Being a person with over 15 years of cybersecurity experience, to me the change from CCPA to CPRA is not “vaguer,” it is more specific, meaning less likely to be loopholed.  In fact, most people who read the two — especially domain experts on cybersecurity — would think it tightens things for business, versus “mean just about anything.”  

The article then says this alleged loophole specifically “reduces the efficacy of your opt-out.”  So I guess what they are saying if a consumer goes to a business’ website, clicks “Do Not Sell or Share My Information”, and then the law would let the business to say we can’t let you do that because they are trying to secure they website?  Businesses can use any excuse to avoid compliance, and maybe if the business detects a bot flooding 1000s of requests clicking the Do Not Sell link, the business would stop that bot attack as that is completely reasonable, but they would be clearly not in compliance if a non-bot (i.e. a real consumer) was blocked from clicking to opt-out.

If anything, their argument could be more valid as it relates to the Right to Delete (e.g. a business may try to brush off a consumer’s request to delete because they tell you they still need it for anti-fraud detection), but that is not what their argument says — they tied it to the “efficacy of your opt-out.”  Combined with a making hay about a term that does not exist in the law and it says the CPRA is vague when it is more tightly defined on this matter, I would have to mark this argument written as misleading.

Look, if a definition needs fixing, note there is the ability to fix various definitions via the Regulations (as was been the case with the CCPA) based on public participation.  And if there something fishy going on vis a vis business practices and rejecting opt-outs, note that the CPRA does add new obligations to businesses that are not in the CPRA, such as the ability to force a business to provide the CalPPA a data impact analysis report that could root out bad behavior by businesses (see § 1798.185(a)), or be subpoenaed etc..  Plus, with significantly beefed up enforcement that the CalPPA gives consumers, it is more likely that any flagrant violations will be more likely gone after.

Argument #3:  Pay for Privacy

Remember their key point is that CPRA somehow “enhances” something they call “pay for privacy” vis a vis the CCPA.

Let’s step back here and put things into context.  As we know some companies have business models where they don’t charge consumers for their service, but they derive revenue in using your data in various ways. The existing CCPA, specifically Section 1798.125, says in sub-section (a) that business cannot discriminate against you if you opt-out or exercise any other CCPA rights like request to delete etc. (but fun fact that the CPRA actually adds more consumer privacy rights like Right to Correct!). 

But sub-section (b) says “a business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information,” and, more germane to this argument, it says “A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the business by the consumer’s data.”   But that fee cannot be “unjust, unreasonable, coercive, or usurious in nature.”

That’s the current law, and privacy groups historically don’t like (b).  If you want to call it pay for privacy, fine. 

The groups not supporting Prop 24 wanted the CPRA to change this.  This is what they (including Media Alliance) wrote back in October on this subject

If one were to do a cursory comparison of that section in CCPA and CPRA, the CPRA does change the language of section 1798.125, and it actually tightens up a bit in a pro-consumer way by adding to sub-section (a) that you can’t discriminate against an employee or an applicant, and it changes up (b) to add if a consumer refuses to provide opt-in consent, then the business must wait 12 months before their next request. 

So, they say it “enhances” their pay-for-privacy concept, when in fact it does not enhance it, the CPRA changes are more pro-consumer. But the real issue is that the opponents really wanted the 125(a)(2) & (b) removed, and with the CPRA they did not get all what they wanted, so they are attacking the incremental improvements it does make by falsely saying it makes things worse.  If they said “we hate this feature in the current CCPA law and we don’t like the new proposed law because it does not completely strike it out” that would have been their truthful argument, but instead they spin the CPRA as worse as CCPA when it is not.  Just compare the same section from the two laws.   And frankly, if they explained what they really wanted, some consumers may say gee I really don’t agree with your argument, i.e. maybe businesses should have the right to charge for their free service if consumers don’t let them use the consumer’s data in certain ways.  So, maybe what they really want is a not a winning argument (the bill they backed in 2019 did not make it out committee in the State Assembly), so instead they muddy the waters.

Next, they imply that the CPRA makes it hard for the Legislature to change language in the law, in this case as it relates to this section 1798.125. The reality is the CPRA can be amended if it furthers consumer privacy.  Pretty cut and dry per the text.

So, I would rate this argument as false too.

Argument #4:  The CPRA Downgrades Business Obligations

The fact is that the CPRA adds more obligations on businesses if you compare the two.  

And given that “all three of these things” (i.e. the first three arguments) are false and/or misleading per above, then this argument falls apart.  And when they say “big businesses have not objected to the ballot initiative and we can see why” … guess what … the ink is not even dry with the CPRA making the ballot.  Here we are in the bottom of the first inning of a baseball game, maybe two or three pitches are thrown, and here they are declaring the game over in terms of whose picking sides.  So, throw a splash of misleading on top of this argument.

Argument #5:  the CPRA does not reflect CCPA being in action

The CCPA went into effect on January 1, 2020.  Per testimony to the State Assembly on June 12, 2020, the backers of the initiative stated that signature collection began in the December of 2019 timeframe.  It concluded in the spring.  So, signatures were still being collected when the law into effect, so this statement that the CPRA “literally had not gone into effect before the signatures were collected” is … “literally” not true.  Maybe not a big deal, but indicative of not being able to get basic facts correct.

The argument I assume they are making is “should we not wait to see how the CPRA goes for a year or so and then make any decisions to improve privacy based on that?”  Well, the counterarguments to that are the following:

1. The backers behind the CPRA made it very clear that the model for the CPRA is the GDPR.  Here is how the CCPA and GDPR compare at a summary level and at a nitty-gritty level.  The GDPR is has been in place since 2018, so there is plenty of data on what works and what does not work, and the authors of the CPRA tried to reflect that.  The point is it was not written in a vacuum;

2. Ironically, the opponents of Prop 24 had no problem promoting their own preferred privacy bill in early 2019, called the “Privacy for All Act,” which got pulled before it could even get a sub-committee hearing.  So, they seem to be perfectly fine with their own bill not seeing how the CCPA “worked and didn’t work,” but if someone else does it … ; and

3. The world of big tech and personal data consumption moves rapidly, so if you wait two years to propose something and then deal with 2-3 years to get a new law passed and effective, you have given the Big Tech firms 5 or so years to potentially run crazy.  Do you think data brokers and Facebook are sitting still? The CPRA is a Version 2.0 upgrade of the CCPA.  It would be effective on January 1, 2023, which is three years after CCPA went into effect.  Do you want an privacy law upgrade every 3 or 6 years to keep pace with Big Tech? 

Now their counterargument to point #3 could be, we don’t want a timely upgrade if the upgrade is “horrible.”  But their 5 arguments about the alleged horribleness are totally called into question with this blog post.  Meanwhile here is my blog on the 12 reasons why the CPRA is net positive in terms of enhancing Californians’ privacy, and even if California only got half of them, it would be a significant upgrade to the CCPA.  So, I would call this argument misleading in a small way and a bit hypocritical.  

But I think you could have stopped at the first fact check of their lead argument against the CalPPA in terms of whether you can trust this article or not.